How to implement CSP with Intercom? | Community
Skip to main content
Answered

How to implement CSP with Intercom?

  • November 3, 2023
  • 6 replies
  • 882 views
P

We need to add a Content Security Policy to our application that adheres to the following requirements:

  1. include a 'default-src' directive to act as a fallback for other resource types when their policy definitions are absent
  2. set explicit CSP 'script-src' and 'style-src' directives, without the use of wildcard domains
  3. not utilize any 'unsafe'- prefixed directives.

Reading through this article in Intercom Help, i think point#2 above can be addressed (but please confirm), and also advise if points #1 and #3 can work with Intercom (e.g. can we avoid using the 'unsafe-inline'?)

Best answer by Jacob Cox

Regarding the original question here is the response from the Support Team:

  1. Yes, a default-src directive can be included in the CSP ✅
  2. Our article lists all of the domains you'd need to allow under the script and style directives

For your third point- unfortunately, removing the 'unsafe-inline' keyword from the `style-src` directive may cause compatibility issues with the Intercom Messenger app. It's important to note that the 'unsafe-inline' keyword allows inline styles to be executed, which is necessary for the proper rendering of the app.

    6 replies

    P
    • Portal Support
    • Author
    • New Participant
    • November 8, 2023

    Would love to have feedback on if there is a way to implement this CSP - anyone knows or has an idea?

    Shauna
    Intercom Team
    Forum|alt.badge.img+4
    • ShaunaIntercom Team
    • Intercom Team
    • November 14, 2023

    Hey @Portal Support 👋🏼  Shauna here from Support! 

    I’ve gone ahead and opened a conversation with one of our support engineers to help you with this 👍🏼

    They’ll be in touch with you soon! 

    Will update this thread with information as soon as this is resolved with support! 

    T
    • Tom Cunningham
    • New Participant
    • February 26, 2024

    Hey @Portal Support 👋🏼  Shauna here from Support! 

    I’ve gone ahead and opened a conversation with one of our support engineers to help you with this 👍🏼

    They’ll be in touch with you soon! 

    Will update this thread with information as soon as this is resolved with support! 

    Any updates on this? I’m in a similar boat. Adding 100+ hashes that won’t survive an update isn’t a sustainable strategy.

    T
    T
    • Tanya
    • New Participant
    • March 15, 2024

    Experiencing the same issue. Help article seems to be out of date too.
    Can we get an update on this? 

    Jacob Cox
    Intercom Team
    Forum|alt.badge.img+5
    • Jacob CoxIntercom Team
    • Sr. Technical Support Engineer
    • Answer
    • April 14, 2024

    Regarding the original question here is the response from the Support Team:

    1. Yes, a default-src directive can be included in the CSP ✅
    2. Our article lists all of the domains you'd need to allow under the script and style directives

    For your third point- unfortunately, removing the 'unsafe-inline' keyword from the `style-src` directive may cause compatibility issues with the Intercom Messenger app. It's important to note that the 'unsafe-inline' keyword allows inline styles to be executed, which is necessary for the proper rendering of the app.

    Jacob | Sr. Technical Support Engineer at Intercom
    G
    Forum|alt.badge.img+1

    @Portal Support ​@Shauna ​@Tom Cunningham ​@Tanya  ​@Jacob Cox this is a security risk that has not been mitigated yet by Intercom. This is discussed in multiple threads. I created an item on the Product Wishlist for this CSP/unsafe-inline issue, to hopefully get it prioritised.
    Please upvote (and/or add your thoughts): 

    Thanks!

    Terms & ConditionsAccessibility statement